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(57) Abstract: The device that legitimately extracts content material from a source is bound to the compliant module that enforces 
copy protection schemes in the distribution of copy protected material. The extraction device (1 10) thereafter binds the extracted 
content material to the compliant module (120) that enforces copy protection. By binding the legitimate extractor (1 10) to the distri- 
bution module (120) that enforces copy protection, other, potentially unauthorized, extractions from other extraction devices, can be 
distinguished. Because the binding of the legitimate extractor (1 10) to the distribution module (120) is used to distinguish legitimate 
extractions, rather man encoding characteristics of the extracted content, such as the presence or absence of a fragile watermark, the 
legitimate extractor (110) can be configured to provide any encoding, including compressed encodings that minimize bandwidth and 
memory requirements. The binding of the extraction device (1 10) to the distribution module (120) can be physical or logical. A 
physical binding relies on the physical integrity of the system to assure that alternative sources cannot gain access to the distribution 
module (120). A logical binding relies on cryptographic techniques to assure that only authorized extractors (110) are bound to 
distribution modules (120). 
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Protecting Compressed Content after Separation from Original Source 



This application claims the benefit of U.S. Provisional Application No. 
60/176,074 filed 13 January 2000, Attorney Docket US000007P. 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

This invention relates primarily to the field of consumer electronics, and in 
particular to the protection of copy-protected content material. 

2. Description of Related Art 

A number of systems have been proposed for protecting content material, such 
as an audio or video recording, from unauthorized copying and unauthorized distribution. 
The Secure Digital Music Initiative (SDMI) and others advocate the use of a "licensed 
compliant module" (LCM) to control the recording and distribution of the protected material. 
The LCM typically stores the protected material in a local storage device in a secure form, 
such as an encrypted form. When the user desires to provide another device, such as a 
portable playback device (PD), with the content material, the LCM verifies that the PD is a 
compliant device, and provides the content material to the device, subject to agreed upon, or 
licensed, conditions. In a typical embodiment, the LCM includes a check-in/check-out 
process, wherein a log is maintained for each copy of each protected material that is provided 
to a PD. When the PD "checks-in" the material, the material is erased from the PD, and the 
log is updated. If the protected material, for example, includes a "one copy at a time" 
restriction, the LCM will not provide another copy of the protected material until a prior copy 
is returned. 

A variety of techniques have been proposed for assuring that the LCM only 
receives and stores authorized copies of the protected material. These security techniques 
have primarily focused on providing a means of distinguishing unauthorized copies of 
material that are distributed via the Internet. Generally, material that is distributed via the 
Internet is distributed in a compressed form, to minimize the bandwidth requirements for 
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downloading the material, and at least one security system is based on the detection of a 
compressed format, or the detection of an uncompressed format that had been compressed. 

The Secure Digital Music Initiative and others advocate the use of "digital 
watermarks" to identify authorized content material. EP 0981901 "Embedding auxiliary data 
5 in a signal" issued 1 March 2000 to Antonius A. CM. Kalker, discloses a technique for 
watermarking electronic material, and is incorporated by reference herein. As in its paper 
watermark counterpart, a digital watermark is embedded in the content material so as to be 
detectable, but unobtrusive. An audio playback of a digital music recording containing a 
watermark, for example, will be substantially indistinguishable from a playback of the same 

1 0 recording without the watermark. A watermark detection device, however, is able to 
distinguish these two recordings based on the presence or absence of the watermark. A 
"robust" watermark can not be removed from the content material without destroying the 
content material. Conversely, a "fragile" watermark, as its name implies, is a watermark that 
is destroyed or damaged if any changes are made to the content material. By encoding 

1 5 protected material with a robust and a fragile watermark, an LCM can detect that the material 
is protected material (via the presence of the strong watermark), and can also detect whether 
the material had ever been compressed or otherwise tampered with (via the absence of the 
weak watermark). 

This fragile-watermarking protection, however, assumes that all authorized 
20 copies of content material will be in an uncompressed form. With the popularity of 
compressed formats becoming more prevalent, however, consumer devices are being 
produced that provide compressed format outputs. For example, application programs on 
personal computers are available that read Compact Discs (CDs) and store the songs from the 
CD onto a hard drive storage unit in compressed form, commonly MP3. Similarly, CD 
25 players are available, or will soon be available, with direct MP3 or similar output for the 
digital transfer of songs to other devices, such as an LCM. In this scenario, a user's 
authorized copy of a song from a CD that the user has purchased will be indistinguishable 
from an unauthorized copy of a song from the Internet, because both copies will have a 
robust watermark, but no fragile watermark. 

30 

BRIEF SUMMARY OF THE INVENTION 

It is an object of this invention to provide a method and system for protecting 
content material from unauthorized copying and/or distribution after this content material is 
removed or copied from its original source. It is a further object of this invention to provide a 
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method and system for distinguishing locally produced compressed files from files that are 
distributed from a remote source, such as an Internet site. 

These objects and others are achieved by binding the device that legitimately 
extracts content material from a source to the compliant module that enforces copy protection 
5 schemes in the distribution of copy protected material. Thereafter, the device that extracts the 
content material binds the content material to the compliant module that enforces the copy 
protection schemes. By binding the legitimate extractor to the distribution module that 
enforces copy protection, other, potentially unauthorized, extractions from other extraction 
devices, can be distinguished. Because the binding of the legitimate extractor to the 

10 distribution module is used to distinguish legitimate extractions, rather than encoding 
characteristics of the extracted content, such as the presence or absence of a fragile 
watermark, the legitimate extractor can be configured to provide any encoding, including 
compressed encodings that minimize bandwidth and memory requirements. The binding of 
the extraction device to the distribution module can be physical or logical. A physical binding 

1 5 relies on the physical integrity of the system to assure that alternative sources cannot gain 
access to the distribution module. A logical binding relies on cryptographic techniques to 
assure that only authorized extractors are bound to distribution modules. 

BRIEF DESCRIPTION OF THE DRAWINGS 
20 The invention is explained in further detail, and by way of example, with 

reference to the accompanying drawings wherein: 

FIG. 1 illustrates an example block diagram of a secure extraction and 
distribution system in accordance with this invention. 

FIG. 2 illustrates an example block diagram of an alternative secure extraction 
25 and distribution system in accordance with this invention. 

FIG. 3 illustrates an example block diagram of an extraction device and 
distribution module that provides secure communication of content material in accordance 
with this invention. 

Throughout the drawings, the same reference numerals indicate similar or 
30 corresponding features or functions. 

DETAILED DESCRIPTION OF THE INVENTION 

FIG. 1 illustrates an example block diagram of a secure extraction and 
distribution system 100 in accordance with this invention. The system 100 includes a 
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compliant extraction device 110 and a compliant distribution module 120. A "compliant" 
component is one that conforms to the security protocols established, such as conforming to 
the SDMI specifications. For example, a compliant extractor determines the distribution and 
copy limits associated with original source material, extracts portions of the content material 
5 only if authorized, and communicates any distribution or copy limits along with each 
extraction. In SDMI terminology, the extraction device 1 1 0 is commonly referred to as a 
"ripper", and the distribution module 120 as a "Licensed Control Module", or "LCM". The 
extraction device 1 10 is configured to extract one or more data items from a source 101 of 
protected or unprotected data. In the context of this invention, the extraction and processing 

10 of protected data is discussed hereinafter. 

In the context of SDMI, the extracted data item is an extraction of one or more 
songs from an album on a CD or other media. The distribution module 120 is configured to 
facilitate maintaining a collection of data items, e.g. songs, on a local storage device 130, and 
to facilitate the distribution of the individual data items to other devices 140, typically 

1 5 portable or stationary playback devices. In other contexts, the distribution module 120 may 
also be configured to facilitate the distribution of the data items to other recording devices or 
other distribution systems. Copending U.S. patent application "NEW PROTOCOL FOR 
SECURE REGISTRATION OF MUSIC (or any data) IN A CHECK IN CHECK OUT 
SYSTEM", serial number 09/548,728, filed 13 April 2000 for Michael Epstein, Attorney 

20 Docket PHA-23,671 describes a method and system for limiting the distribution of protected 
content material among playback devices to conform to licensed distribution rights, and is 
incorporated by reference herein. 

In accordance with a first aspect of this invention, the extraction device 1 1 0 
and the distribution module 120 are bound together, such that the extraction device 1 10 only 

25 provides extracted data item(s) that are bound to a compliant distribution module 120, and a 
distribution device 120 only accepts data items that are bound to it via a compliant extraction 
device 110. 

A compliant component contains a means of identifying itself as a compliant 
component. Typically, a compliant component contains an identifier that is 'certified* by a 
30 "trusted authority". The trusted authority digitally signs the certificate that identifies the 
compliant component, using a private key that is known only to the trusted authority. In 
accordance with this invention, the compliant components 110, 120 also include a public key 
of the trusted authority that is used to verify the digital signature, and the identifier of each 
device corresponds to a public key that is associated with each component 1 10, 120. Each 
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component 1 10, 120 also contains a private key corresponding to the certified public key, as 
a public-private key pair, common in the art. 

To logically bind the two components 1 10, 120 together, a cryptographic 
authentication process is used, as illustrated by the bi-directional arrow 150. Each component 
5 1 10, 120 communicates, via 150, its certified public key to the other 120, 1 10, and each 
component 1 10, 120 verifies that the communicated public key has been certified by the 
trusted authority. To verify that the other component is the compliant component that is 
identified by the certificate, a challenge-response protocol is used. The first component 
transmits a random number to the second component (the challenge). The second component 

1 0 encrypts the random number using its private key, and transmits the encrypted number back 
to the first component (the response). The first component decrypts the encrypted number, 
using the second component's certified public key. If the decryption of the encrypted number 
matches the originally transmitted random number, the second component is verified as being 
the certified component, because only the second component has knowledge of the private 

1 5 key corresponding to its certified public key. This challenge-response process is then 
repeated by the second component, to verify that the first component is the component 
corresponding to the certified public key that was communicated to the second component. 
Other techniques for verifying the identity of a compliant device, common in the art, may 
alternatively be used. In a preferred embodiment, the challenge-response process includes a 

20 time-out limit at each stage, to detect an attempt of copying protected material from a remote 
source, for example, from a remote Internet site. A local extraction and distribution 
component can be expected to provide a response to a challenge within microseconds, 
whereas a remote component might be expected to require milliseconds or more to 
communicate the response back to a remote challenging device. 

25 Note that if another extraction source 1 80 is not a compliant device, the 

authentication process discussed above will fail, as indicated by the dashed arrow 150", and 
the distribution module 120 will not accept content material from this source 180. 

After authenticating that the distribution module 120 is a compliant module, 
the extraction device 110 transmits the extracted content material and digitally signs the 

30 transmission. The compliant distribution module 120 does not accept content material for 
further distribution unless the digital signature of the content material corresponds to the 
signature of the authenticated extraction device 1 10. In this manner, if an alternative source 
180 attempts to substitute material, as indicated by the dashed line 181, after the compliant 
extraction device satisfies the authentication process, the compliant module 120 will 



BNSDOCID: <WO. 



,0152234A1J_> 



/ 

WO 01/52234 4 PCT/EPO0/13227 

6 

recognize the substitution, because the substituted material will not be digitally signed by the 
extraction module 1 10. In a preferred embodiment, a one-time key is used, to prevent 
repeated use, or a secure time-stamp is used, to assure that the signed material is from a 
recently challenged extraction device. 
5 Other security techniques can also be used to assure that the binding between 

the device 110 and module 120 remains secure. FIG. 3 illustrates an example block diagram 
of an extraction device 110 and distribution module 120 that provides a secure 
communication of content material. The binders 330 and 350 in the extraction device 1 10 and 
distribution module 120, respectively, effect the above discussed cryptographic 

10 authentication process, and generate a set of secure keys, Keyl and Keyl'. A cryptographic 
key exchange, such as a Diffie-Hellman exchange, common in the art, is preferably used to 
provide an encryption key, Keyl, for use by the extraction device 1 10, and a decryption key, 
Keyl 1 , for use by the distribution module 120. The keys Keyl and Keyl' may be identical, or 
may each be a corresponding key of an asymmetric key-pair. The extraction device 1 10 

1 5 encrypts the extracted content material using the exchanged key, Keyl , which is commonly 
termed a "session key". In a preferred embodiment, the distribution device 120 stores the 
encrypted material, and also stores the session key that was used to encrypt the encrypted 
material. Thereafter, the distribution module 120 can decrypt the encrypted material as 
required, using the stored session key, Keyl', that is associated with the stored encrypted 

20 material, via a decrypter 370. An optional renderer 380 is configured to render the decrypted 
content material for a direct presentation to a user. 

Also in a preferred embodiment, the playback device 1 40 is configured to 
decrypt the extracted content material. In this embodiment, the distribution module 120 
encrypts the session key Keyl 1 using a second session key, Key2, that is established between 

25 the module 120 and the playback device 140, via the encrypter 360. The encrypted content 
material and the re-encrypted original session key are thereafter communication to the 
playback device 140. The playback device 140 decrypts the encrypted original session key, 
using the second session key Key2, and then decrypts the encrypted extracted content 
material, using this decrypted session key Keyl'. Alternatively, the decrypted content 

30 material from the decrypter 370 is re-encrypted by the encrypter 360 using the second session 
key Key2, and the playback device 140 is configured to decrypt this re-encrypted content 
material directly. 

Another method of binding the extraction device 1 1 0 to the distribution 
module 120 is to physically bind the devices, as illustrated in FIG. 2. In the alternative 
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embodiment of the system 100' in FIG. 2, a compliant extraction device 1 10' is physically 
bound to a distribution module 120*. Any of a variety of techniques can be employed to 
assure the security of this bonding. In a preferred embodiment, the system 100' includes a 
tamper-detection device, such as a frangible device that is attached to an enclosure that binds 
5 the components 110' and 120 f . Alternatively, an integrated circuit can be created that includes 
the output stage of the extraction device 110' and the input stage of the distribution module 
120', so that the actual interface point between the two devices 1 10' and 120' is not accessible 
for inserting a substitute, potentially illicit, copy of copy protected material. Another 
alternative is to merely rely on the lack of an explicit interface port to discourage the "casual" 

1 0 theft of copy protected material via a download from an Internet site. That is, if the extraction 
device 110* and distribution module 120' are within a single enclosure, with no obvious or 
external interconnect point, most consumers will not open the enclosure, decipher the layout 
to determine the interface point, and modify the circuit board to allow for an insertion of an 
illicit copy of a song. Contrarily , unplugging a legitimate source and plugging in an illicit 

15 source via external connections between components 110, 120, such as illustrated in FIG. 1, 
can be considered a reasonably likely occurrence. 

In like manner, if the extraction device 1 1 0' is a software application, such as 
an application that reads content material from a CD or DVD on a personal computer, and 
conventionally stores a compressed file, such as an MP3 file, on a hard drive, then, in 

20 accordance with this aspect of the invention, the distribution module 120' is included within 
the same software application. In this manner, the material that is stored on the hard drive is 
bound to the distribution module 120', preferably in an encrypted form. Thereafter, the 
distribution module 120 f provides material to other playback or recording devices 140 if and 
only if the material on the hard drive corresponds to material that has been bound to the 

25 device 120'. In this manner, material that is placed on the hard drive via another source 1 80, 
such as an Internet connection, will not be distributed by the distribution module 120'. 

In a further embodiment of this invention, the binding process occurs at one 
point in time, and the actual communication of the material occurs at a later time. A time 
limit may still be employed during the authentication process, to verify that the extraction 

30 device 110 and distribution module 120 are in close physical proximity, but thereafter, the 
extraction device 1 10 is configured to allow substantially unrestricted communication of 
protected material to the previously verified module 120, using, for example, the key Keyl 
for all subsequent encodings. In like manner, the extraction device 110 may be configured to 
grant an automatic authentication of the first distribution module 120 that it encounters, 
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thereby minimizing the complexity required for effecting the binding between the extraction 
device 1 10 and the distribution module 120. In this embodiment, the extraction device 1 10 is 
preferably configured to provide protected material only to the first module 1 20 that it 
encounters, thereby precluding the use of the extraction device 1 10 as a provider of widely 
5 distributable copies of the material. That is, for example, when a user acquires an extraction 
device 110, and connects it to a distribution module 120, the initial connection is 
automatically verified relative to the this module 120, thereby facilitating an easy-to-use and 
highly-reliable configuration of the extraction device to a user's environment. Thereafter, 
however, the user is prevented from using this extraction device to provide material to other 

10 users' distribution devices. To allow for a subsequent change to the user's system, a one-for- 
one replacement protocol is provided that allows the replacement of the distribution device 
120 by another distribution device, wherein, after the replacement, a subsequent attempt to 
use the original device 120 with the extraction device 110 will fail. In a preferred 
embodiment, the identifier of the original device 120 is placed in a "revoked identifier 1 ' list 

1 5 maintained by the extraction device 1 1 0 after the replacement. 

In each of the above embodiments, the extraction device 1 1 0 may also be 
configured to access an external source of revoked authorization identifiers. Such revoked 
authorizations may be issued when it is discovered that unauthorized copies of the content 
material originated at the identified device. Copending U.S. patent application "UPDATING 

20 A REVOCATION LIST TO FOIL AN ADVERSARY", serial number 09/370,489, filed 9 
August 1999 for Michael Epstein, Attorney Docket PHA 23,743 describes a method and 
system for distributing lists of revoked authorization identifiers of devices, and is 
incorporated by reference herein. 

The foregoing merely illustrates the principles of the invention. It will thus be 

25 appreciated that those skilled in the art will be able to devise various arrangements which, 

although not explicitly described or shown herein, embody the principles of the invention and 
are thus within its spirit and scope. For example, some copy protection schemes rely on the 
use of a "ticket" that is "punched" at each level of a copy hierarchy. European patent 
EP0906700, "METHOD AND SYSTEM FOR TRANSFERRING CONTENT 

30 INFORMATION AND SUPPLEMENTAL INFORMATION RELATED THERETO", 

issued 7 April 1999 to Johan P.M.G. Linnartz et al, presents a technique for the protection of 
copyright material via the use of a watermark "ticket" that controls the number of times the 
protected material may be rendered, and is incorporated by reference herein. This ticketing 
scheme can be incorporated in this invention by configuring the extraction device 1 1 0 to also 
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"punch" the ticket, and to provide a certified copy of this ticket to the distribution module 
120. Alternatively, if the distribution module 120 provides an identifier, the identifier and the 
ticket can be signed together by the extraction device 1 10. In this maimer, other distribution 
devices are able to detect an attempted reuse of a signed ticket. These and other system 
5 configuration and optimization features will be evident to one of ordinary skill in the art in 
view of this disclosure, and are included within the scope of the following claims. 
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CLAIMS: 



1 . A system (100) comprising: 

an extraction device (110) that is configured to receive protected content 
material and to provide therefrom an extracted data item corresponding to at least a portion of 
the protected content material, and 
5 a distribution module (120) that is configured to receive the extracted data 

item from the extraction device (110), and to store the extracted data item for subsequent 
communication to a playback device (140), 
wherein 

the extraction device (110) is bound to the distribution module (120) so as to 
10 prevent an acceptance of an unauthorized data item by the distribution module (120) from a 
source other than the extraction device (1 10) or another bound device. 



2. The system (100) of claim 1, wherein 

the extracted data item that is stored by the distribution module (120) is bound 
15 to the distribution module (1 20). 

3. The system (100) of claim 1, wherein 

the extraction device (110) and distribution module (120) are bound via a 
physical connection. 

20 

4. The system (100) of claim 1, wherein 

the extraction device (110) and distribution module (120) are bound via a 
cryptographic process. 

25 5. The system (100) of claim 4, wherein 

the cryptographic process includes a timeout limit. 

6. The system (100) of claim 1, wherein 
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the extraction device (1 10) is further configured to compress the portion of the 
content material to form the extracted data item. 

7 - An extraction device (110) comprising: 

5 an extractor (3 1 0) that is configured to extract at least a portion of copy 

protected material from an original source (101) to form an extracted data item and 
a binder (330) that is configured to bind the extracted data item to a 
subsequent receiving device (120). 

10 8 • The extraction device ( 1 1 0) of claim 7, wherein 

the binder (330) includes 

an authentication device that is configured to verify that the 
subsequent receiving device is a device that is compliant with a copy protection standard, and 
the binder (330) binds the extracted data item to the subsequent receiving 
15 device (120) based on the verification of the subsequent receiving device (120). 

9 • The extraction device ( 1 1 0) of claim 7, further including 

a signing device that is configured to digitally sign the extracted data item. 

20 1 0. he extraction device (1 1 0) of claim 9, wherein 

the signing device is further configured to digitally sign a copy-limiting ticket 
that is associated with the copy protected material. 

11. he extraction device ( 1 1 0) of claim 7, further including 

25 311 encryption device (320) that is configured to encrypt the extracted data 

item. 



12. he extraction device (1 10) of claim 1 1 , wherein 

the encryption device (320) encrypts the extracted data item based on a session 
key that is dependent upon a parameter provided by the subsequent receiving device (120). 



30 



1 3 • he extraction device ( 1 1 0) of claim 7, wherein 

the extractor (3 1 0) is further configured to compress the portion of the content 
material to form the extracted data item. 
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14. distribution module (120) that is configured to receive protected content 
material from an extraction device (110), comprising 

a binder (350) that is configured to verify that the received protected content 
5 material is bound to the distribution module (120). 

15. he distribution module (120) of claim 14, wherein 

the binder (350) is configured to verify a digital signature associated with the 
protected content material, and 
1 0 the distribution module (120) provides the protected content material to a 

subsequent receiver (140) based on the verification of the digital signature. 

16. he distribution module (120) of claim 14, further including 

an encryption device (360) that is configured to encrypt the protected content 

15 material. 



17. he distribution module (120) of claim 14, wherein 

the extraction device (110) encrypts the protected content material based on a 
session key that is dependent upon a parameter provided by the distribution module (120), 
20 and 

the distribution module (120) further includes 

an encryption device (360) that is configured to encrypt the session 

key. 



25 1 8. he distribution module (120) of claim 14, wherein 

the extraction device (110) encrypts the protected content material based on a 
session key that is dependent upon a parameter provided by the distribution module (120), 
and 

the distribution module (120) further includes 
30 a decryption device (370) that is configured to decrypt the encrypted 

copy protected material based on the session key. 
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